W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: Canonical paths

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 11:46:35 +0100
Message-ID: <CAKXHy=f5V_H3tdV4OLZ8PdQoWMKPg4OFB7D4kLP0u7prVB5pGQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Nick Krempel <ndkrempel@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Makes sense: added as
https://dvcs.w3.org/hg/content-security-policy/rev/508b840781ca

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Sat, Mar 9, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 3/1/2013 12:24 PM, Nick Krempel wrote:
>
>> Given a host source expression like "http://www.w3.org/scripts/", I
>> couldn't see any wording in the CSP 1.1 draft to make sure that
>> "http://www.w3.org/scripts/../**bad.js<http://www.w3.org/scripts/../bad.js>"
>> doesn't match it. Is this a problem?
>>
>
> It's not a problem if user agents canonicalize URLs according to
> http://tools.ietf.org/html/**rfc3986#section-6.2.2.3<http://tools.ietf.org/html/rfc3986#section-6.2.2.3>before applying CSP restrictions. Firefox does and I assume Chrome does
> too, but it probably wouldn't hurt to mention it explicitly in the spec.
>
>
> The 3.2.2 Source List section of the CSP spec does mention two parts of
> rfc3986 in the syntax section. We should add a step 0 to section 3.2.2.2
> "Matching"
>
>   0. The URI must be normalized according to RFC 3986 section 6
>   1. If the source expression....
>
> -Dan Veditz
>
>
Received on Monday, 18 March 2013 10:47:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC